- T1003.008 /etc/passwd and /etc/shadow
- Atomic Test #1: Access /etc/shadow (Local) [linux]
- Atomic Test #2: Access /etc/passwd (Local) [linux]
- T1557.002 ARP Cache Poisoning CONTRIBUTE A TEST
- T1558.004 AS-REP Roasting CONTRIBUTE A TEST
- T1552.003 Bash History
- Atomic Test #1: Search Through Bash History [linux, macos]
- T1110 Brute Force CONTRIBUTE A TEST
- T1003.005 Cached Domain Credentials CONTRIBUTE A TEST
- T1552.005 Cloud Instance Metadata API CONTRIBUTE A TEST
- T1552.007 Container API
- Atomic Test #1: ListSecrets [macos, linux]
- Atomic Test #2: Cat the contents of a Kubernetes service account token file [linux]
- T1056.004 Credential API Hooking
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1110.004 Credential Stuffing CONTRIBUTE A TEST
- T1552.001 Credentials In Files
- Atomic Test #1: Extract Browser and System credentials with LaZagne [macos]
- Atomic Test #2: Extract passwords with grep [macos, linux]
- Atomic Test #3: Extracting passwords with findstr [windows]
- Atomic Test #4: Access unattend.xml [windows]
- Atomic Test #5: Find and Access Github Credentials [macos, linux]
- T1555 Credentials from Password Stores
- Atomic Test #1: Extract Windows Credential Manager via VBA [windows]
- T1555.003 Credentials from Web Browsers
- Atomic Test #1: Run Chrome-password Collector [windows]
- Atomic Test #2: Search macOS Safari Cookies [macos]
- Atomic Test #3: LaZagne - Credentials from Browser [windows]
- T1552.002 Credentials in Registry
- Atomic Test #1: Enumeration for Credentials in Registry [windows]
- Atomic Test #2: Enumeration for PuTTY Credentials in Registry [windows]
- T1003.006 DCSync
- Atomic Test #1: DCSync [windows]
- T1556.001 Domain Controller Authentication CONTRIBUTE A TEST
- T1212 Exploitation for Credential Access CONTRIBUTE A TEST
- T1187 Forced Authentication CONTRIBUTE A TEST
- T1606 Forge Web Credentials CONTRIBUTE A TEST
- T1056.002 GUI Input Capture
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1558.001 Golden Ticket
- Atomic Test #1: Crafting golden tickets with mimikatz [windows]
- T1552.006 Group Policy Preferences
- Atomic Test #1: GPP Passwords (findstr) [windows]
- Atomic Test #2: GPP Passwords (Get-GPPPassword) [windows]
- T1056 Input Capture CONTRIBUTE A TEST
- T1558.003 Kerberoasting
- Atomic Test #1: Request for service tickets [windows]
- T1555.001 Keychain
- Atomic Test #1: Keychain [macos]
- T1056.001 Keylogging
- Atomic Test #1: Input Capture [windows]
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST
- T1003.004 LSA Secrets
- Atomic Test #1: Dumping LSA Secrets [windows]
- T1003.001 LSASS Memory
- Atomic Test #1: Windows Credential Editor [windows]
- Atomic Test #2: Dump LSASS.exe Memory using ProcDump [windows]
- Atomic Test #3: Dump LSASS.exe Memory using comsvcs.dll [windows]
- Atomic Test #4: Dump LSASS.exe Memory using direct system calls and API unhooking [windows]
- Atomic Test #5: Dump LSASS.exe Memory using Windows Task Manager [windows]
- Atomic Test #6: Offline Credential Theft With Mimikatz [windows]
- Atomic Test #7: LSASS read with pypykatz [windows]
- Atomic Test #8: Dump LSASS.exe Memory using Out-Minidump.ps1 [windows]
- Atomic Test #9: Create Mini Dump of LSASS.exe using ProcDump [windows]
- Atomic Test #10: Powershell Mimikatz [windows]
- Atomic Test #11: Dump LSASS with .Net 5 createdump.exe [windows]
- Atomic Test #12: Dump LSASS.exe using imported Microsoft DLLs [windows]
- T1557 Man-in-the-Middle CONTRIBUTE A TEST
- T1556 Modify Authentication Process CONTRIBUTE A TEST
- T1003.003 NTDS
- Atomic Test #1: Create Volume Shadow Copy with vssadmin [windows]
- Atomic Test #2: Copy NTDS.dit from Volume Shadow Copy [windows]
- Atomic Test #3: Dump Active Directory Database with NTDSUtil [windows]
- Atomic Test #4: Create Volume Shadow Copy with WMI [windows]
- Atomic Test #5: Create Volume Shadow Copy with Powershell [windows]
- Atomic Test #6: Create Symlink to Volume Shadow Copy [windows]
- T1556.004 Network Device Authentication CONTRIBUTE A TEST
- T1040 Network Sniffing
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture macOS [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- T1003 OS Credential Dumping
- Atomic Test #1: Gsecdump [windows]
- Atomic Test #2: Credential Dumping with NPPSpy [windows]
- T1110.002 Password Cracking
- Atomic Test #1: Password Cracking with Hashcat [windows]
- T1556.002 Password Filter DLL
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1110.001 Password Guessing
- Atomic Test #1: Brute Force Credentials of all domain users via SMB [windows]
- Atomic Test #2: Brute Force Credentials of single domain user via LDAP against domain controller (NTLM or Kerberos) [windows]
- T1555.005 Password Managers CONTRIBUTE A TEST
- T1110.003 Password Spraying
- Atomic Test #1: Password Spray all Domain Users [windows]
- Atomic Test #2: Password Spray (DomainPasswordSpray) [windows]
- Atomic Test #3: Password spray all domain users with a single password via LDAP against domain controller (NTLM or Kerberos) [windows]
- T1556.003 Pluggable Authentication Modules CONTRIBUTE A TEST
- T1552.004 Private Keys
- Atomic Test #1: Private Keys [windows]
- Atomic Test #2: Discover Private SSH Keys [macos, linux]
- Atomic Test #3: Copy Private SSH Keys with CP [linux]
- Atomic Test #4: Copy Private SSH Keys with rsync [macos, linux]
- T1003.007 Proc Filesystem CONTRIBUTE A TEST
- T1606.002 SAML Tokens CONTRIBUTE A TEST
- T1003.002 Security Account Manager
- Atomic Test #1: Registry dump of SAM, creds, and secrets [windows]
- Atomic Test #2: Registry parse with pypykatz [windows]
- Atomic Test #3: esentutl.exe SAM copy [windows]
- Atomic Test #4: PowerDump Registry dump of SAM for hashes and usernames [windows]
- T1555.002 Securityd Memory CONTRIBUTE A TEST
- T1558.002 Silver Ticket CONTRIBUTE A TEST
- T1528 Steal Application Access Token CONTRIBUTE A TEST
- T1539 Steal Web Session Cookie CONTRIBUTE A TEST
- T1558 Steal or Forge Kerberos Tickets CONTRIBUTE A TEST
- T1111 Two-Factor Authentication Interception CONTRIBUTE A TEST
- T1552 Unsecured Credentials CONTRIBUTE A TEST
- T1606.001 Web Cookies CONTRIBUTE A TEST
- T1056.003 Web Portal Capture CONTRIBUTE A TEST
- T1555.004 Windows Credential Manager CONTRIBUTE A TEST
- T1557.002 ARP Cache Poisoning CONTRIBUTE A TEST
- T1560 Archive Collected Data
- Atomic Test #1: Compress Data for Exfiltration With PowerShell [windows]
- T1560.003 Archive via Custom Method CONTRIBUTE A TEST
- T1560.002 Archive via Library
- Atomic Test #1: Compressing data using GZip in Python (Linux) [linux]
- Atomic Test #2: Compressing data using bz2 in Python (Linux) [linux]
- Atomic Test #3: Compressing data using zipfile in Python (Linux) [linux]
- Atomic Test #4: Compressing data using tarfile in Python (Linux) [linux]
- T1560.001 Archive via Utility
- Atomic Test #1: Compress Data for Exfiltration With Rar [windows]
- Atomic Test #2: Compress Data and lock with password for Exfiltration with winrar [windows]
- Atomic Test #3: Compress Data and lock with password for Exfiltration with winzip [windows]
- Atomic Test #4: Compress Data and lock with password for Exfiltration with 7zip [windows]
- Atomic Test #5: Data Compressed - nix - zip [linux, macos]
- Atomic Test #6: Data Compressed - nix - gzip Single File [linux, macos]
- Atomic Test #7: Data Compressed - nix - tar Folder or File [linux, macos]
- Atomic Test #8: Data Encrypted with zip and gpg symmetric [macos, linux]
- T1123 Audio Capture
- Atomic Test #1: using device audio capture commandlet [windows]
- T1119 Automated Collection
- Atomic Test #1: Automated Collection Command Prompt [windows]
- Atomic Test #2: Automated Collection PowerShell [windows]
- Atomic Test #3: Recon information for export with PowerShell [windows]
- Atomic Test #4: Recon information for export with Command Prompt [windows]
- T1115 Clipboard Data
- Atomic Test #1: Utilize Clipboard to store or execute commands from [windows]
- Atomic Test #2: Execute Commands from Clipboard using PowerShell [windows]
- Atomic Test #3: Execute commands from clipboard [macos]
- Atomic Test #4: Collect Clipboard Data via VBA [windows]
- T1213.001 Confluence CONTRIBUTE A TEST
- T1056.004 Credential API Hooking
- Atomic Test #1: Hook PowerShell TLS Encrypt/Decrypt Messages [windows]
- T1074 Data Staged CONTRIBUTE A TEST
- T1530 Data from Cloud Storage Object CONTRIBUTE A TEST
- T1602 Data from Configuration Repository CONTRIBUTE A TEST
- T1213 Data from Information Repositories CONTRIBUTE A TEST
- T1005 Data from Local System CONTRIBUTE A TEST
- T1039 Data from Network Shared Drive CONTRIBUTE A TEST
- T1025 Data from Removable Media CONTRIBUTE A TEST
- T1114 Email Collection CONTRIBUTE A TEST
- T1114.003 Email Forwarding Rule CONTRIBUTE A TEST
- T1056.002 GUI Input Capture
- Atomic Test #1: AppleScript - Prompt User for Password [macos]
- Atomic Test #2: PowerShell - Prompt User for Password [windows]
- T1056 Input Capture CONTRIBUTE A TEST
- T1056.001 Keylogging
- Atomic Test #1: Input Capture [windows]
- Atomic Test #2: Living off the land Terminal Input Capture on Linux with pam.d [linux]
- T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay CONTRIBUTE A TEST
- T1074.001 Local Data Staging
- Atomic Test #1: Stage data from Discovery.bat [windows]
- Atomic Test #2: Stage data from Discovery.sh [linux, macos]
- Atomic Test #3: Zip a Folder with PowerShell for Staging in Temp [windows]
- T1114.001 Local Email Collection
- Atomic Test #1: Email Collection with PowerShell Get-Inbox [windows]
- T1185 Man in the Browser CONTRIBUTE A TEST
- T1557 Man-in-the-Middle CONTRIBUTE A TEST
- T1602.002 Network Device Configuration Dump CONTRIBUTE A TEST
- T1074.002 Remote Data Staging CONTRIBUTE A TEST
- T1114.002 Remote Email Collection CONTRIBUTE A TEST
- T1602.001 SNMP (MIB Dump) CONTRIBUTE A TEST
- T1113 Screen Capture
- Atomic Test #1: Screencapture [macos]
- Atomic Test #2: Screencapture (silent) [macos]
- Atomic Test #3: X Windows Capture [linux]
- Atomic Test #4: Capture Linux Desktop using Import Tool [linux]
- Atomic Test #5: Windows Screencapture [windows]
- T1213.002 Sharepoint CONTRIBUTE A TEST
- T1125 Video Capture CONTRIBUTE A TEST
- T1056.003 Web Portal Capture CONTRIBUTE A TEST
- T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
- T1134 Access Token Manipulation CONTRIBUTE A TEST
- T1546.008 Accessibility Features
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- T1547.014 Active Setup CONTRIBUTE A TEST
- T1546.009 AppCert DLLs CONTRIBUTE A TEST
- T1546.010 AppInit DLLs
- Atomic Test #1: Install AppInit Shim [windows]
- T1546.011 Application Shimming
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- T1055.004 Asynchronous Procedure Call
- Atomic Test #1: Process Injection via C# [windows]
- T1053.001 At (Linux)
- Atomic Test #1: At - Schedule a job [linux]
- T1053.002 At (Windows)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1547.002 Authentication Package CONTRIBUTE A TEST
- T1547 Boot or Logon Autostart Execution CONTRIBUTE A TEST
- T1037 Boot or Logon Initialization Scripts CONTRIBUTE A TEST
- T1548.002 Bypass User Account Control
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- T1574.012 COR_PROFILER
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- T1546.001 Change Default File Association
- Atomic Test #1: Change Default File Association [windows]
- T1078.004 Cloud Accounts CONTRIBUTE A TEST
- T1546.015 Component Object Model Hijacking CONTRIBUTE A TEST
- T1053.007 Container Orchestration Job
- Atomic Test #1: ListCronjobs [linux, macos]
- Atomic Test #2: CreateCronjob [linux, macos]
- T1134.002 Create Process with Token CONTRIBUTE A TEST
- T1543 Create or Modify System Process CONTRIBUTE A TEST
- T1053.003 Cron
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1574.001 DLL Search Order Hijacking
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1574.002 DLL Side-Loading
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- T1078.001 Default Accounts
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts CONTRIBUTE A TEST
- T1484 Domain Policy Modification CONTRIBUTE A TEST
- T1484.002 Domain Trust Modification CONTRIBUTE A TEST
- T1574.004 Dylib Hijacking CONTRIBUTE A TEST
- T1574.006 Dynamic Linker Hijacking
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1055.001 Dynamic-link Library Injection
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- T1548.004 Elevated Execution with Prompt CONTRIBUTE A TEST
- T1546.014 Emond
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1611 Escape to Host
- Atomic Test #1: Deploy container using nsenter container escape [linux]
- T1546 Event Triggered Execution CONTRIBUTE A TEST
- T1574.005 Executable Installer File Permissions Weakness CONTRIBUTE A TEST
- T1068 Exploitation for Privilege Escalation CONTRIBUTE A TEST
- T1055.011 Extra Window Memory Injection CONTRIBUTE A TEST
- T1484.001 Group Policy Modification CONTRIBUTE A TEST
- T1574 Hijack Execution Flow CONTRIBUTE A TEST
- T1546.012 Image File Execution Options Injection
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1547.006 Kernel Modules and Extensions
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- T1546.006 LC_LOAD_DYLIB Addition CONTRIBUTE A TEST
- T1547.008 LSASS Driver CONTRIBUTE A TEST
- T1543.001 Launch Agent
- Atomic Test #1: Launch Agent [macos]
- T1543.004 Launch Daemon
- Atomic Test #1: Launch Daemon [macos]
- T1053.004 Launchd
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- T1078.003 Local Accounts
- Atomic Test #1: Create local account with admin priviliges [windows]
- T1037.002 Logon Script (Mac)
- Atomic Test #1: Logon Scripts - Mac [macos]
- T1037.001 Logon Script (Windows)
- Atomic Test #1: Logon Scripts [windows]
- T1134.003 Make and Impersonate Token CONTRIBUTE A TEST
- T1546.007 Netsh Helper DLL
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1037.003 Network Logon Script CONTRIBUTE A TEST
- T1134.004 Parent PID Spoofing
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- T1034 Path Interception CONTRIBUTE A TEST
- T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
- T1574.008 Path Interception by Search Order Hijacking CONTRIBUTE A TEST
- T1574.009 Path Interception by Unquoted Path
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1547.011 Plist Modification
- Atomic Test #1: Plist Modification [macos]
- T1547.010 Port Monitors
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- T1055.002 Portable Executable Injection CONTRIBUTE A TEST
- T1546.013 PowerShell Profile
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1547.012 Print Processors CONTRIBUTE A TEST
- T1055.009 Proc Memory CONTRIBUTE A TEST
- T1055.013 Process Doppelgänging CONTRIBUTE A TEST
- T1055.012 Process Hollowing
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- T1055 Process Injection
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- T1055.008 Ptrace System Calls CONTRIBUTE A TEST
- T1037.004 RC Scripts
- Atomic Test #1: rc.common [macos]
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- T1547.007 Re-opened Applications
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1547.001 Registry Run Keys / Startup Folder
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- T1134.005 SID-History Injection CONTRIBUTE A TEST
- T1053.005 Scheduled Task
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- T1053 Scheduled Task/Job CONTRIBUTE A TEST
- T1546.002 Screensaver
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- T1547.005 Security Support Provider
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1574.010 Services File Permissions Weakness CONTRIBUTE A TEST
- T1574.011 Services Registry Permissions Weakness
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1548.001 Setuid and Setgid
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- T1547.009 Shortcut Modification
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1037.005 Startup Items
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1548.003 Sudo and Sudo Caching
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1543.002 Systemd Service
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- T1053.006 Systemd Timers
- Atomic Test #1: Create Systemd Service and Timer [linux]
- T1055.003 Thread Execution Hijacking CONTRIBUTE A TEST
- T1055.005 Thread Local Storage CONTRIBUTE A TEST
- T1547.003 Time Providers CONTRIBUTE A TEST
- T1134.001 Token Impersonation/Theft
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2:
SeDebugPrivilege
token duplication [windows]
- T1546.005 Trap
- Atomic Test #1: Trap [macos, linux]
- T1546.004 Unix Shell Configuration Modification
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1055.014 VDSO Hijacking CONTRIBUTE A TEST
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1546.003 Windows Management Instrumentation Event Subscription
- Atomic Test #1: Persistence via WMI Event Subscription [windows]
- T1543.003 Windows Service
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- T1547.004 Winlogon Helper DLL
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- T1547.013 XDG Autostart Entries CONTRIBUTE A TEST
- T1548 Abuse Elevation Control Mechanism CONTRIBUTE A TEST
- T1134 Access Token Manipulation CONTRIBUTE A TEST
- T1550.001 Application Access Token CONTRIBUTE A TEST
- T1055.004 Asynchronous Procedure Call
- Atomic Test #1: Process Injection via C# [windows]
- T1197 BITS Jobs
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- T1027.001 Binary Padding
- Atomic Test #1: Pad Binary to Change Hash - Linux/macOS dd [macos, linux]
- T1542.003 Bootkit CONTRIBUTE A TEST
- T1612 Build Image on Host CONTRIBUTE A TEST
- T1548.002 Bypass User Account Control
- Atomic Test #1: Bypass UAC using Event Viewer (cmd) [windows]
- Atomic Test #2: Bypass UAC using Event Viewer (PowerShell) [windows]
- Atomic Test #3: Bypass UAC using Fodhelper [windows]
- Atomic Test #4: Bypass UAC using Fodhelper - PowerShell [windows]
- Atomic Test #5: Bypass UAC using ComputerDefaults (PowerShell) [windows]
- Atomic Test #6: Bypass UAC by Mocking Trusted Directories [windows]
- Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows]
- Atomic Test #8: Disable UAC using reg.exe [windows]
- Atomic Test #9: Bypass UAC using SilentCleanup task [windows]
- T1218.003 CMSTP
- Atomic Test #1: CMSTP Executing Remote Scriptlet [windows]
- Atomic Test #2: CMSTP Executing UAC Bypass [windows]
- T1574.012 COR_PROFILER
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- T1070.003 Clear Command History
- Atomic Test #1: Clear Bash history (rm) [linux, macos]
- Atomic Test #2: Clear Bash history (echo) [linux]
- Atomic Test #3: Clear Bash history (cat dev/null) [linux, macos]
- Atomic Test #4: Clear Bash history (ln dev/null) [linux, macos]
- Atomic Test #5: Clear Bash history (truncate) [linux]
- Atomic Test #6: Clear history of a bunch of shells [linux, macos]
- Atomic Test #7: Clear and Disable Bash History Logging [linux, macos]
- Atomic Test #8: Use Space Before Command to Avoid Logging to History [linux, macos]
- Atomic Test #9: Disable Bash History Logging with SSH -T [linux]
- Atomic Test #10: Prevent Powershell History Logging [windows]
- Atomic Test #11: Clear Powershell History by Deleting History File [windows]
- T1070.002 Clear Linux or Mac System Logs
- Atomic Test #1: rm -rf [macos, linux]
- Atomic Test #2: Overwrite Linux Mail Spool [linux]
- Atomic Test #3: Overwrite Linux Log [linux]
- T1070.001 Clear Windows Event Logs
- Atomic Test #1: Clear Logs [windows]
- Atomic Test #2: Delete System Logs Using Clear-EventLog [windows]
- Atomic Test #3: Clear Event Logs via VBA [windows]
- T1078.004 Cloud Accounts CONTRIBUTE A TEST
- T1553.002 Code Signing CONTRIBUTE A TEST
- T1553.006 Code Signing Policy Modification CONTRIBUTE A TEST
- T1027.004 Compile After Delivery
- Atomic Test #1: Compile After Delivery using csc.exe [windows]
- Atomic Test #2: Dynamic C# Compile [windows]
- T1218.001 Compiled HTML File
- Atomic Test #1: Compiled HTML Help Local Payload [windows]
- Atomic Test #2: Compiled HTML Help Remote Payload [windows]
- Atomic Test #3: Invoke CHM with default Shortcut Command Execution [windows]
- Atomic Test #4: Invoke CHM with InfoTech Storage Protocol Handler [windows]
- Atomic Test #5: Invoke CHM Simulate Double click [windows]
- Atomic Test #6: Invoke CHM with Script Engine and Help Topic [windows]
- Atomic Test #7: Invoke CHM Shortcut Command with ITS and Help Topic [windows]
- T1542.002 Component Firmware CONTRIBUTE A TEST
- T1218.002 Control Panel
- Atomic Test #1: Control Panel Items [windows]
- T1578.002 Create Cloud Instance CONTRIBUTE A TEST
- T1134.002 Create Process with Token CONTRIBUTE A TEST
- T1578.001 Create Snapshot CONTRIBUTE A TEST
- T1574.001 DLL Search Order Hijacking
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1574.002 DLL Side-Loading
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- T1078.001 Default Accounts
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1578.003 Delete Cloud Instance CONTRIBUTE A TEST
- T1140 Deobfuscate/Decode Files or Information
- Atomic Test #1: Deobfuscate/Decode Files Or Information [windows]
- Atomic Test #2: Certutil Rename and Decode [windows]
- T1610 Deploy Container
- Atomic Test #1: Deploy container using nsenter container escape [linux]
- T1006 Direct Volume Access
- Atomic Test #1: Read volume boot sector via DOS device path (PowerShell) [windows]
- T1562.008 Disable Cloud Logs CONTRIBUTE A TEST
- T1600.002 Disable Crypto Hardware CONTRIBUTE A TEST
- T1562.002 Disable Windows Event Logging
- Atomic Test #1: Disable Windows IIS HTTP Logging [windows]
- Atomic Test #2: Kill Event Log Service Threads [windows]
- Atomic Test #3: Impair Windows Audit Log Policy [windows]
- Atomic Test #4: Clear Windows Audit Policy Config [windows]
- T1562.007 Disable or Modify Cloud Firewall CONTRIBUTE A TEST
- T1562.004 Disable or Modify System Firewall
- Atomic Test #1: Disable firewall [linux]
- Atomic Test #2: Disable Microsoft Defender Firewall [windows]
- Atomic Test #3: Allow SMB and RDP on Microsoft Defender Firewall [windows]
- Atomic Test #4: Opening ports for proxy - HARDRAIN [windows]
- Atomic Test #5: Open a local port through Windows Firewall to any profile [windows]
- Atomic Test #6: Allow Executable Through Firewall Located in Non-Standard Location [windows]
- T1562.001 Disable or Modify Tools
- Atomic Test #1: Disable syslog [linux]
- Atomic Test #2: Disable Cb Response [linux]
- Atomic Test #3: Disable SELinux [linux]
- Atomic Test #4: Stop Crowdstrike Falcon on Linux [linux]
- Atomic Test #5: Disable Carbon Black Response [macos]
- Atomic Test #6: Disable LittleSnitch [macos]
- Atomic Test #7: Disable OpenDNS Umbrella [macos]
- Atomic Test #8: Disable macOS Gatekeeper [macos]
- Atomic Test #9: Stop and unload Crowdstrike Falcon on macOS [macos]
- Atomic Test #10: Unload Sysmon Filter Driver [windows]
- Atomic Test #11: Uninstall Sysmon [windows]
- Atomic Test #12: AMSI Bypass - AMSI InitFailed [windows]
- Atomic Test #13: AMSI Bypass - Remove AMSI Provider Reg Key [windows]
- Atomic Test #14: Disable Arbitrary Security Windows Service [windows]
- Atomic Test #15: Tamper with Windows Defender ATP PowerShell [windows]
- Atomic Test #16: Tamper with Windows Defender Command Prompt [windows]
- Atomic Test #17: Tamper with Windows Defender Registry [windows]
- Atomic Test #18: Disable Microsoft Office Security Features [windows]
- Atomic Test #19: Remove Windows Defender Definition Files [windows]
- Atomic Test #20: Stop and Remove Arbitrary Security Windows Service [windows]
- Atomic Test #21: Uninstall Crowdstrike Falcon on Windows [windows]
- Atomic Test #22: Tamper with Windows Defender Evade Scanning -Folder [windows]
- Atomic Test #23: Tamper with Windows Defender Evade Scanning -Extension [windows]
- Atomic Test #24: Tamper with Windows Defender Evade Scanning -Process [windows]
- T1078.002 Domain Accounts CONTRIBUTE A TEST
- T1556.001 Domain Controller Authentication CONTRIBUTE A TEST
- T1484 Domain Policy Modification CONTRIBUTE A TEST
- T1484.002 Domain Trust Modification CONTRIBUTE A TEST
- T1601.002 Downgrade System Image CONTRIBUTE A TEST
- T1574.004 Dylib Hijacking CONTRIBUTE A TEST
- T1574.006 Dynamic Linker Hijacking
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1055.001 Dynamic-link Library Injection
- Atomic Test #1: Process Injection via mavinject.exe [windows]
- T1548.004 Elevated Execution with Prompt CONTRIBUTE A TEST
- T1480.001 Environmental Keying CONTRIBUTE A TEST
- T1574.005 Executable Installer File Permissions Weakness CONTRIBUTE A TEST
- T1480 Execution Guardrails CONTRIBUTE A TEST
- T1211 Exploitation for Defense Evasion CONTRIBUTE A TEST
- T1055.011 Extra Window Memory Injection CONTRIBUTE A TEST
- T1070.004 File Deletion
- Atomic Test #1: Delete a single file - Linux/macOS [linux, macos]
- Atomic Test #2: Delete an entire folder - Linux/macOS [linux, macos]
- Atomic Test #3: Overwrite and delete a file with shred [linux]
- Atomic Test #4: Delete a single file - Windows cmd [windows]
- Atomic Test #5: Delete an entire folder - Windows cmd [windows]
- Atomic Test #6: Delete a single file - Windows PowerShell [windows]
- Atomic Test #7: Delete an entire folder - Windows PowerShell [windows]
- Atomic Test #8: Delete Filesystem - Linux [linux]
- Atomic Test #9: Delete Prefetch File [windows]
- Atomic Test #10: Delete TeamViewer Log Files [windows]
- T1222 File and Directory Permissions Modification CONTRIBUTE A TEST
- T1553.001 Gatekeeper Bypass
- Atomic Test #1: Gatekeeper Bypass [macos]
- T1484.001 Group Policy Modification CONTRIBUTE A TEST
- T1564.005 Hidden File System CONTRIBUTE A TEST
- T1564.001 Hidden Files and Directories
- Atomic Test #1: Create a hidden file in a hidden directory [linux, macos]
- Atomic Test #2: Mac Hidden file [macos]
- Atomic Test #3: Create Windows System File with Attrib [windows]
- Atomic Test #4: Create Windows Hidden File with Attrib [windows]
- Atomic Test #5: Hidden files [macos]
- Atomic Test #6: Hide a Directory [macos]
- Atomic Test #7: Show all hidden files [macos]
- T1564.002 Hidden Users
- Atomic Test #1: Create Hidden User using UniqueID < 500 [macos]
- Atomic Test #2: Create Hidden User using IsHidden option [macos]
- T1564.003 Hidden Window
- Atomic Test #1: Hidden Window [windows]
- T1564 Hide Artifacts
- Atomic Test #1: Extract binary files via VBA [windows]
- Atomic Test #2: Create a user called "$" as noted here [windows]
- Atomic Test #3: Create an "Administrator " user (with a space on the end) [windows]
- T1574 Hijack Execution Flow CONTRIBUTE A TEST
- T1562.003 Impair Command History Logging
- Atomic Test #1: Disable history collection [linux, macos]
- Atomic Test #2: Mac HISTCONTROL [macos, linux]
- T1562 Impair Defenses CONTRIBUTE A TEST
- T1562.006 Indicator Blocking
- Atomic Test #1: Auditing Configuration Changes on Linux Host [linux]
- Atomic Test #2: Logging Configuration Changes on Linux Host [linux]
- T1027.005 Indicator Removal from Tools CONTRIBUTE A TEST
- T1070 Indicator Removal on Host
- Atomic Test #1: Indicator Removal using FSUtil [windows]
- T1202 Indirect Command Execution
- Atomic Test #1: Indirect Command Execution - pcalua.exe [windows]
- Atomic Test #2: Indirect Command Execution - forfiles.exe [windows]
- Atomic Test #3: Indirect Command Execution - conhost.exe [windows]
- T1553.004 Install Root Certificate
- Atomic Test #1: Install root CA on CentOS/RHEL [linux]
- Atomic Test #2: Install root CA on Debian/Ubuntu [linux]
- Atomic Test #3: Install root CA on macOS [macos]
- Atomic Test #4: Install root CA on Windows [windows]
- Atomic Test #5: Install root CA on Windows with certutil [windows]
- T1218.004 InstallUtil
- Atomic Test #1: CheckIfInstallable method call [windows]
- Atomic Test #2: InstallHelper method call [windows]
- Atomic Test #3: InstallUtil class constructor method call [windows]
- Atomic Test #4: InstallUtil Install method call [windows]
- Atomic Test #5: InstallUtil Uninstall method call - /U variant [windows]
- Atomic Test #6: InstallUtil Uninstall method call - '/installtype=notransaction /action=uninstall' variant [windows]
- Atomic Test #7: InstallUtil HelpText method call [windows]
- Atomic Test #8: InstallUtil evasive invocation [windows]
- T1036.001 Invalid Code Signature CONTRIBUTE A TEST
- T1149 LC_MAIN Hijacking CONTRIBUTE A TEST
- T1222.002 Linux and Mac File and Directory Permissions Modification
- Atomic Test #1: chmod - Change file or folder mode (numeric mode) [macos, linux]
- Atomic Test #2: chmod - Change file or folder mode (symbolic mode) [macos, linux]
- Atomic Test #3: chmod - Change file or folder mode (numeric mode) recursively [macos, linux]
- Atomic Test #4: chmod - Change file or folder mode (symbolic mode) recursively [macos, linux]
- Atomic Test #5: chown - Change file or folder ownership and group [macos, linux]
- Atomic Test #6: chown - Change file or folder ownership and group recursively [macos, linux]
- Atomic Test #7: chown - Change file or folder mode ownership only [macos, linux]
- Atomic Test #8: chown - Change file or folder ownership recursively [macos, linux]
- Atomic Test #9: chattr - Remove immutable file attribute [macos, linux]
- T1078.003 Local Accounts
- Atomic Test #1: Create local account with admin priviliges [windows]
- T1127.001 MSBuild
- Atomic Test #1: MSBuild Bypass Using Inline Tasks (C#) [windows]
- Atomic Test #2: MSBuild Bypass Using Inline Tasks (VB) [windows]
- T1134.003 Make and Impersonate Token CONTRIBUTE A TEST
- T1553.005 Mark-of-the-Web Bypass CONTRIBUTE A TEST
- T1036.004 Masquerade Task or Service
- Atomic Test #1: Creating W32Time similar named service using schtasks [windows]
- Atomic Test #2: Creating W32Time similar named service using sc [windows]
- T1036 Masquerading
- Atomic Test #1: System File Copied to Unusual Location [windows]
- T1036.005 Match Legitimate Name or Location CONTRIBUTE A TEST
- T1556 Modify Authentication Process CONTRIBUTE A TEST
- T1578 Modify Cloud Compute Infrastructure CONTRIBUTE A TEST
- T1112 Modify Registry
- Atomic Test #1: Modify Registry of Current User Profile - cmd [windows]
- Atomic Test #2: Modify Registry of Local Machine - cmd [windows]
- Atomic Test #3: Modify registry to store logon credentials [windows]
- Atomic Test #4: Add domain to Trusted sites Zone [windows]
- Atomic Test #5: Javascript in registry [windows]
- Atomic Test #6: Change Powershell Execution Policy to Bypass [windows]
- T1601 Modify System Image CONTRIBUTE A TEST
- T1218.005 Mshta
- Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows]
- Atomic Test #2: Mshta executes VBScript to execute malicious command [windows]
- Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows]
- Atomic Test #4: Invoke HTML Application - Jscript Engine over Local UNC Simulating Lateral Movement [windows]
- Atomic Test #5: Invoke HTML Application - Jscript Engine Simulating Double Click [windows]
- Atomic Test #6: Invoke HTML Application - Direct download from URI [windows]
- Atomic Test #7: Invoke HTML Application - JScript Engine with Rundll32 and Inline Protocol Handler [windows]
- Atomic Test #8: Invoke HTML Application - JScript Engine with Inline Protocol Handler [windows]
- Atomic Test #9: Invoke HTML Application - Simulate Lateral Movement over UNC Path [windows]
- T1218.007 Msiexec
- Atomic Test #1: Msiexec.exe - Execute Local MSI file [windows]
- Atomic Test #2: Msiexec.exe - Execute Remote MSI file [windows]
- Atomic Test #3: Msiexec.exe - Execute Arbitrary DLL [windows]
- T1564.004 NTFS File Attributes
- Atomic Test #1: Alternate Data Streams (ADS) [windows]
- Atomic Test #2: Store file in Alternate Data Stream (ADS) [windows]
- Atomic Test #3: Create ADS command prompt [windows]
- Atomic Test #4: Create ADS PowerShell [windows]
- T1599.001 Network Address Translation Traversal CONTRIBUTE A TEST
- T1599 Network Boundary Bridging CONTRIBUTE A TEST
- T1556.004 Network Device Authentication CONTRIBUTE A TEST
- T1070.005 Network Share Connection Removal
- Atomic Test #1: Add Network Share [windows]
- Atomic Test #2: Remove Network Share [windows]
- Atomic Test #3: Remove Network Share PowerShell [windows]
- T1027 Obfuscated Files or Information
- Atomic Test #1: Decode base64 Data into Script [macos, linux]
- Atomic Test #2: Execute base64-encoded PowerShell [windows]
- Atomic Test #3: Execute base64-encoded PowerShell from Windows Registry [windows]
- Atomic Test #4: Execution from Compressed File [windows]
- Atomic Test #5: DLP Evasion via Sensitive Data in VBA Macro over email [windows]
- Atomic Test #6: DLP Evasion via Sensitive Data in VBA Macro over HTTP [windows]
- T1218.008 Odbcconf
- Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows]
- T1134.004 Parent PID Spoofing
- Atomic Test #1: Parent PID Spoofing using PowerShell [windows]
- Atomic Test #2: Parent PID Spoofing - Spawn from Current Process [windows]
- Atomic Test #3: Parent PID Spoofing - Spawn from Specified Process [windows]
- Atomic Test #4: Parent PID Spoofing - Spawn from svchost.exe [windows]
- Atomic Test #5: Parent PID Spoofing - Spawn from New Process [windows]
- T1550.002 Pass the Hash
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- T1550.003 Pass the Ticket
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- T1556.002 Password Filter DLL
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1601.001 Patch System Image CONTRIBUTE A TEST
- T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
- T1574.008 Path Interception by Search Order Hijacking CONTRIBUTE A TEST
- T1574.009 Path Interception by Unquoted Path
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1556.003 Pluggable Authentication Modules CONTRIBUTE A TEST
- T1205.001 Port Knocking CONTRIBUTE A TEST
- T1055.002 Portable Executable Injection CONTRIBUTE A TEST
- T1542 Pre-OS Boot CONTRIBUTE A TEST
- T1055.009 Proc Memory CONTRIBUTE A TEST
- T1055.013 Process Doppelgänging CONTRIBUTE A TEST
- T1055.012 Process Hollowing
- Atomic Test #1: Process Hollowing using PowerShell [windows]
- Atomic Test #2: RunPE via VBA [windows]
- T1055 Process Injection
- Atomic Test #1: Shellcode execution via VBA [windows]
- Atomic Test #2: Remote Process Injection in LSASS via mimikatz [windows]
- T1055.008 Ptrace System Calls CONTRIBUTE A TEST
- T1216.001 PubPrn
- Atomic Test #1: PubPrn.vbs Signed Script Bypass [windows]
- T1542.004 ROMMONkit CONTRIBUTE A TEST
- T1600.001 Reduce Key Space CONTRIBUTE A TEST
- T1108 Redundant Access CONTRIBUTE A TEST
- T1218.009 Regsvcs/Regasm
- Atomic Test #1: Regasm Uninstall Method Call Test [windows]
- Atomic Test #2: Regsvcs Uninstall Method Call Test [windows]
- T1218.010 Regsvr32
- Atomic Test #1: Regsvr32 local COM scriptlet execution [windows]
- Atomic Test #2: Regsvr32 remote COM scriptlet execution [windows]
- Atomic Test #3: Regsvr32 local DLL execution [windows]
- Atomic Test #4: Regsvr32 Registering Non DLL [windows]
- Atomic Test #5: Regsvr32 Silent DLL Install Call DllRegisterServer [windows]
- T1036.003 Rename System Utilities
- Atomic Test #1: Masquerading as Windows LSASS process [windows]
- Atomic Test #2: Masquerading as Linux crond process. [linux]
- Atomic Test #3: Masquerading - cscript.exe running as notepad.exe [windows]
- Atomic Test #4: Masquerading - wscript.exe running as svchost.exe [windows]
- Atomic Test #5: Masquerading - powershell.exe running as taskhostw.exe [windows]
- Atomic Test #6: Masquerading - non-windows exe running as windows exe [windows]
- Atomic Test #7: Masquerading - windows exe running as different windows exe [windows]
- Atomic Test #8: Malicious process Masquerading as LSM.exe [windows]
- Atomic Test #9: File Extension Masquerading [windows]
- T1578.004 Revert Cloud Instance CONTRIBUTE A TEST
- T1036.002 Right-to-Left Override CONTRIBUTE A TEST
- T1207 Rogue Domain Controller
- Atomic Test #1: DCShadow - Mimikatz [windows]
- T1014 Rootkit
- Atomic Test #1: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #2: Loadable Kernel Module based Rootkit [linux]
- Atomic Test #3: Windows Signed Driver Rootkit Test [windows]
- T1564.006 Run Virtual Instance CONTRIBUTE A TEST
- T1218.011 Rundll32
- Atomic Test #1: Rundll32 execute JavaScript Remote Payload With GetObject [windows]
- Atomic Test #2: Rundll32 execute VBscript command [windows]
- Atomic Test #3: Rundll32 advpack.dll Execution [windows]
- Atomic Test #4: Rundll32 ieadvpack.dll Execution [windows]
- Atomic Test #5: Rundll32 syssetup.dll Execution [windows]
- Atomic Test #6: Rundll32 setupapi.dll Execution [windows]
- Atomic Test #7: Execution of HTA and VBS Files using Rundll32 and URL.dll [windows]
- Atomic Test #8: Launches an executable using Rundll32 and pcwutl.dll [windows]
- T1134.005 SID-History Injection CONTRIBUTE A TEST
- T1553.003 SIP and Trust Provider Hijacking CONTRIBUTE A TEST
- T1064 Scripting CONTRIBUTE A TEST
- T1574.010 Services File Permissions Weakness CONTRIBUTE A TEST
- T1574.011 Services Registry Permissions Weakness
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1548.001 Setuid and Setgid
- Atomic Test #1: Make and modify binary from C source [macos, linux]
- Atomic Test #2: Set a SetUID flag on file [macos, linux]
- Atomic Test #3: Set a SetGID flag on file [macos, linux]
- T1218 Signed Binary Proxy Execution
- Atomic Test #1: mavinject - Inject DLL into running process [windows]
- Atomic Test #2: SyncAppvPublishingServer - Execute arbitrary PowerShell code [windows]
- Atomic Test #3: Register-CimProvider - Execute evil dll [windows]
- Atomic Test #4: InfDefaultInstall.exe .inf Execution [windows]
- Atomic Test #5: ProtocolHandler.exe Downloaded a Suspicious File [windows]
- Atomic Test #6: Microsoft.Workflow.Compiler.exe Payload Execution [windows]
- Atomic Test #7: Renamed Microsoft.Workflow.Compiler.exe Payload Executions [windows]
- Atomic Test #8: Invoke-ATHRemoteFXvGPUDisablementCommand base test [windows]
- T1216 Signed Script Proxy Execution
- Atomic Test #1: SyncAppvPublishingServer Signed Script PowerShell Command Execution [windows]
- Atomic Test #2: manage-bde.wsf Signed Script Command Execution [windows]
- T1027.002 Software Packing
- Atomic Test #1: Binary simply packed by UPX (linux) [linux]
- Atomic Test #2: Binary packed by UPX, with modified headers (linux) [linux]
- Atomic Test #3: Binary simply packed by UPX [macos]
- Atomic Test #4: Binary packed by UPX, with modified headers [macos]
- T1036.006 Space after Filename
- Atomic Test #1: Space After Filename [macos]
- T1027.003 Steganography CONTRIBUTE A TEST
- T1553 Subvert Trust Controls CONTRIBUTE A TEST
- T1548.003 Sudo and Sudo Caching
- Atomic Test #1: Sudo usage [macos, linux]
- Atomic Test #2: Unlimited sudo cache timeout [macos, linux]
- Atomic Test #3: Disable tty_tickets for sudo caching [macos, linux]
- T1497.001 System Checks
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- T1542.001 System Firmware CONTRIBUTE A TEST
- T1542.005 TFTP Boot CONTRIBUTE A TEST
- T1221 Template Injection
- Atomic Test #1: WINWORD Remote Template Injection [windows]
- T1055.003 Thread Execution Hijacking CONTRIBUTE A TEST
- T1055.005 Thread Local Storage CONTRIBUTE A TEST
- T1497.003 Time Based Evasion CONTRIBUTE A TEST
- T1070.006 Timestomp
- Atomic Test #1: Set a file's access timestamp [linux, macos]
- Atomic Test #2: Set a file's modification timestamp [linux, macos]
- Atomic Test #3: Set a file's creation timestamp [linux, macos]
- Atomic Test #4: Modify file timestamps using reference file [linux, macos]
- Atomic Test #5: Windows - Modify file creation timestamp with PowerShell [windows]
- Atomic Test #6: Windows - Modify file last modified timestamp with PowerShell [windows]
- Atomic Test #7: Windows - Modify file last access timestamp with PowerShell [windows]
- Atomic Test #8: Windows - Timestomp a File [windows]
- T1134.001 Token Impersonation/Theft
- Atomic Test #1: Named pipe client impersonation [windows]
- Atomic Test #2:
SeDebugPrivilege
token duplication [windows]
- T1205 Traffic Signaling CONTRIBUTE A TEST
- T1127 Trusted Developer Utilities Proxy Execution CONTRIBUTE A TEST
- T1535 Unused/Unsupported Cloud Regions CONTRIBUTE A TEST
- T1550 Use Alternate Authentication Material CONTRIBUTE A TEST
- T1497.002 User Activity Based Checks CONTRIBUTE A TEST
- T1564.007 VBA Stomping CONTRIBUTE A TEST
- T1055.014 VDSO Hijacking CONTRIBUTE A TEST
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1218.012 Verclsid CONTRIBUTE A TEST
- T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST
- T1600 Weaken Encryption CONTRIBUTE A TEST
- T1550.004 Web Session Cookie CONTRIBUTE A TEST
- T1222.001 Windows File and Directory Permissions Modification
- Atomic Test #1: Take ownership using takeown utility [windows]
- Atomic Test #2: cacls - Grant permission to specified user or group recursively [windows]
- Atomic Test #3: attrib - Remove read-only attribute [windows]
- Atomic Test #4: attrib - hide file [windows]
- Atomic Test #5: Grant Full Access to folder for Everyone - Ryuk Ransomware Style [windows]
- T1220 XSL Script Processing
- Atomic Test #1: MSXSL Bypass using local files [windows]
- Atomic Test #2: MSXSL Bypass using remote files [windows]
- Atomic Test #3: WMIC bypass using local XSL file [windows]
- Atomic Test #4: WMIC bypass using remote XSL file [windows]
- T1546.008 Accessibility Features
- Atomic Test #1: Attaches Command Prompt as a Debugger to a List of Target Processes [windows]
- Atomic Test #2: Replace binary of sticky keys [windows]
- T1098 Account Manipulation
- Atomic Test #1: Admin Account Manipulate [windows]
- Atomic Test #2: Domain Account and Group Manipulate [windows]
- T1547.014 Active Setup CONTRIBUTE A TEST
- T1098.003 Add Office 365 Global Administrator Role CONTRIBUTE A TEST
- T1137.006 Add-ins CONTRIBUTE A TEST
- T1098.001 Additional Cloud Credentials CONTRIBUTE A TEST
- T1546.009 AppCert DLLs CONTRIBUTE A TEST
- T1546.010 AppInit DLLs
- Atomic Test #1: Install AppInit Shim [windows]
- T1546.011 Application Shimming
- Atomic Test #1: Application Shim Installation [windows]
- Atomic Test #2: New shim database files created in the default shim database directory [windows]
- Atomic Test #3: Registry key creation and/or modification events for SDB [windows]
- T1053.001 At (Linux)
- Atomic Test #1: At - Schedule a job [linux]
- T1053.002 At (Windows)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1547.002 Authentication Package CONTRIBUTE A TEST
- T1197 BITS Jobs
- Atomic Test #1: Bitsadmin Download (cmd) [windows]
- Atomic Test #2: Bitsadmin Download (PowerShell) [windows]
- Atomic Test #3: Persist, Download, & Execute [windows]
- Atomic Test #4: Bits download using desktopimgdownldr.exe (cmd) [windows]
- T1547 Boot or Logon Autostart Execution CONTRIBUTE A TEST
- T1037 Boot or Logon Initialization Scripts CONTRIBUTE A TEST
- T1542.003 Bootkit CONTRIBUTE A TEST
- T1176 Browser Extensions
- Atomic Test #1: Chrome (Developer Mode) [linux, windows, macos]
- Atomic Test #2: Chrome (Chrome Web Store) [linux, windows, macos]
- Atomic Test #3: Firefox [linux, windows, macos]
- Atomic Test #4: Edge Chromium Addon - VPN [windows, macos]
- T1574.012 COR_PROFILER
- Atomic Test #1: User scope COR_PROFILER [windows]
- Atomic Test #2: System Scope COR_PROFILER [windows]
- Atomic Test #3: Registry-free process scope COR_PROFILER [windows]
- T1546.001 Change Default File Association
- Atomic Test #1: Change Default File Association [windows]
- T1136.003 Cloud Account CONTRIBUTE A TEST
- T1078.004 Cloud Accounts CONTRIBUTE A TEST
- T1542.002 Component Firmware CONTRIBUTE A TEST
- T1546.015 Component Object Model Hijacking CONTRIBUTE A TEST
- T1554 Compromise Client Software Binary CONTRIBUTE A TEST
- T1053.007 Container Orchestration Job
- Atomic Test #1: ListCronjobs [linux, macos]
- Atomic Test #2: CreateCronjob [linux, macos]
- T1136 Create Account CONTRIBUTE A TEST
- T1543 Create or Modify System Process CONTRIBUTE A TEST
- T1053.003 Cron
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1574.001 DLL Search Order Hijacking
- Atomic Test #1: DLL Search Order Hijacking - amsi.dll [windows]
- T1574.002 DLL Side-Loading
- Atomic Test #1: DLL Side-Loading using the Notepad++ GUP.exe binary [windows]
- T1078.001 Default Accounts
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1136.002 Domain Account
- Atomic Test #1: Create a new Windows domain admin user [windows]
- Atomic Test #2: Create a new account similar to ANONYMOUS LOGON [windows]
- Atomic Test #3: Create a new Domain Account using PowerShell [windows]
- T1078.002 Domain Accounts CONTRIBUTE A TEST
- T1556.001 Domain Controller Authentication CONTRIBUTE A TEST
- T1574.004 Dylib Hijacking CONTRIBUTE A TEST
- T1574.006 Dynamic Linker Hijacking
- Atomic Test #1: Shared Library Injection via /etc/ld.so.preload [linux]
- Atomic Test #2: Shared Library Injection via LD_PRELOAD [linux]
- T1546.014 Emond
- Atomic Test #1: Persistance with Event Monitor - emond [macos]
- T1546 Event Triggered Execution CONTRIBUTE A TEST
- T1098.002 Exchange Email Delegate Permissions CONTRIBUTE A TEST
- T1574.005 Executable Installer File Permissions Weakness CONTRIBUTE A TEST
- T1133 External Remote Services
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1574 Hijack Execution Flow CONTRIBUTE A TEST
- T1062 Hypervisor CONTRIBUTE A TEST
- T1546.012 Image File Execution Options Injection
- Atomic Test #1: IFEO Add Debugger [windows]
- Atomic Test #2: IFEO Global Flags [windows]
- T1525 Implant Internal Image CONTRIBUTE A TEST
- T1547.006 Kernel Modules and Extensions
- Atomic Test #1: Linux - Load Kernel Module via insmod [linux]
- T1546.006 LC_LOAD_DYLIB Addition CONTRIBUTE A TEST
- T1547.008 LSASS Driver CONTRIBUTE A TEST
- T1543.001 Launch Agent
- Atomic Test #1: Launch Agent [macos]
- T1543.004 Launch Daemon
- Atomic Test #1: Launch Daemon [macos]
- T1053.004 Launchd
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- T1136.001 Local Account
- Atomic Test #1: Create a user account on a Linux system [linux]
- Atomic Test #2: Create a user account on a MacOS system [macos]
- Atomic Test #3: Create a new user in a command prompt [windows]
- Atomic Test #4: Create a new user in PowerShell [windows]
- Atomic Test #5: Create a new user in Linux with
root
UID and GID. [linux] - Atomic Test #6: Create a new Windows admin user [windows]
- T1078.003 Local Accounts
- Atomic Test #1: Create local account with admin priviliges [windows]
- T1037.002 Logon Script (Mac)
- Atomic Test #1: Logon Scripts - Mac [macos]
- T1037.001 Logon Script (Windows)
- Atomic Test #1: Logon Scripts [windows]
- T1556 Modify Authentication Process CONTRIBUTE A TEST
- T1546.007 Netsh Helper DLL
- Atomic Test #1: Netsh Helper DLL Registration [windows]
- T1556.004 Network Device Authentication CONTRIBUTE A TEST
- T1037.003 Network Logon Script CONTRIBUTE A TEST
- T1137 Office Application Startup
- Atomic Test #1: Office Application Startup - Outlook as a C2 [windows]
- T1137.001 Office Template Macros CONTRIBUTE A TEST
- T1137.002 Office Test
- Atomic Test #1: Office Application Startup Test Persistence [windows]
- T1137.003 Outlook Forms CONTRIBUTE A TEST
- T1137.004 Outlook Home Page
- Atomic Test #1: Install Outlook Home Page Persistence [windows]
- T1137.005 Outlook Rules CONTRIBUTE A TEST
- T1556.002 Password Filter DLL
- Atomic Test #1: Install and Register Password Filter DLL [windows]
- T1034 Path Interception CONTRIBUTE A TEST
- T1574.007 Path Interception by PATH Environment Variable CONTRIBUTE A TEST
- T1574.008 Path Interception by Search Order Hijacking CONTRIBUTE A TEST
- T1574.009 Path Interception by Unquoted Path
- Atomic Test #1: Execution of program.exe as service with unquoted service path [windows]
- T1547.011 Plist Modification
- Atomic Test #1: Plist Modification [macos]
- T1556.003 Pluggable Authentication Modules CONTRIBUTE A TEST
- T1205.001 Port Knocking CONTRIBUTE A TEST
- T1547.010 Port Monitors
- Atomic Test #1: Add Port Monitor persistence in Registry [windows]
- T1546.013 PowerShell Profile
- Atomic Test #1: Append malicious start-process cmdlet [windows]
- T1542 Pre-OS Boot CONTRIBUTE A TEST
- T1547.012 Print Processors CONTRIBUTE A TEST
- T1037.004 RC Scripts
- Atomic Test #1: rc.common [macos]
- Atomic Test #2: rc.common [linux]
- Atomic Test #3: rc.local [linux]
- T1542.004 ROMMONkit CONTRIBUTE A TEST
- T1547.007 Re-opened Applications
- Atomic Test #1: Re-Opened Applications [macos]
- Atomic Test #2: Re-Opened Applications [macos]
- T1108 Redundant Access CONTRIBUTE A TEST
- T1547.001 Registry Run Keys / Startup Folder
- Atomic Test #1: Reg Key Run [windows]
- Atomic Test #2: Reg Key RunOnce [windows]
- Atomic Test #3: PowerShell Registry RunOnce [windows]
- Atomic Test #4: Suspicious vbs file run from startup Folder [windows]
- Atomic Test #5: Suspicious jse file run from startup Folder [windows]
- Atomic Test #6: Suspicious bat file run from startup Folder [windows]
- Atomic Test #7: Add Executable Shortcut Link to User Startup Folder [windows]
- T1505.001 SQL Stored Procedures CONTRIBUTE A TEST
- T1098.004 SSH Authorized Keys
- Atomic Test #1: Modify SSH Authorized Keys [macos, linux]
- T1053.005 Scheduled Task
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- T1053 Scheduled Task/Job CONTRIBUTE A TEST
- T1546.002 Screensaver
- Atomic Test #1: Set Arbitrary Binary as Screensaver [windows]
- T1547.005 Security Support Provider
- Atomic Test #1: Modify SSP configuration in registry [windows]
- T1505 Server Software Component CONTRIBUTE A TEST
- T1574.010 Services File Permissions Weakness CONTRIBUTE A TEST
- T1574.011 Services Registry Permissions Weakness
- Atomic Test #1: Service Registry Permissions Weakness [windows]
- Atomic Test #2: Service ImagePath Change with reg.exe [windows]
- T1547.009 Shortcut Modification
- Atomic Test #1: Shortcut Modification [windows]
- Atomic Test #2: Create shortcut to cmd in startup folders [windows]
- T1037.005 Startup Items
- Atomic Test #1: Add file to Local Library StartupItems [macos]
- T1542.001 System Firmware CONTRIBUTE A TEST
- T1543.002 Systemd Service
- Atomic Test #1: Create Systemd Service [linux]
- Atomic Test #2: Create Systemd Service file, Enable the service , Modify and Reload the service. [linux]
- T1053.006 Systemd Timers
- Atomic Test #1: Create Systemd Service and Timer [linux]
- T1542.005 TFTP Boot CONTRIBUTE A TEST
- T1547.003 Time Providers CONTRIBUTE A TEST
- T1205 Traffic Signaling CONTRIBUTE A TEST
- T1505.002 Transport Agent
- Atomic Test #1: Install MS Exchange Transport Agent Persistence [windows]
- T1546.005 Trap
- Atomic Test #1: Trap [macos, linux]
- T1546.004 Unix Shell Configuration Modification
- Atomic Test #1: Add command to .bash_profile [macos, linux]
- Atomic Test #2: Add command to .bashrc [macos, linux]
- T1078 Valid Accounts CONTRIBUTE A TEST
- T1505.003 Web Shell
- Atomic Test #1: Web Shell Written to Disk [windows]
- T1546.003 Windows Management Instrumentation Event Subscription
- Atomic Test #1: Persistence via WMI Event Subscription [windows]
- T1543.003 Windows Service
- Atomic Test #1: Modify Fax service to run PowerShell [windows]
- Atomic Test #2: Service Installation CMD [windows]
- Atomic Test #3: Service Installation PowerShell [windows]
- T1547.004 Winlogon Helper DLL
- Atomic Test #1: Winlogon Shell Key Persistence - PowerShell [windows]
- Atomic Test #2: Winlogon Userinit Key Persistence - PowerShell [windows]
- Atomic Test #3: Winlogon Notify Key Logon Persistence - PowerShell [windows]
- T1547.013 XDG Autostart Entries CONTRIBUTE A TEST
- T1531 Account Access Removal
- Atomic Test #1: Change User Password - Windows [windows]
- Atomic Test #2: Delete User - Windows [windows]
- Atomic Test #3: Remove Account From Domain Admin Group [windows]
- T1499.003 Application Exhaustion Flood CONTRIBUTE A TEST
- T1499.004 Application or System Exploitation CONTRIBUTE A TEST
- T1485 Data Destruction
- Atomic Test #1: Windows - Overwrite file with Sysinternals SDelete [windows]
- Atomic Test #2: macOS/Linux - Overwrite file with DD [linux, macos]
- T1486 Data Encrypted for Impact
- Atomic Test #1: Encrypt files using gpg (Linux) [linux]
- Atomic Test #2: Encrypt files using 7z (Linux) [linux]
- Atomic Test #3: Encrypt files using ccrypt (Linux) [linux]
- Atomic Test #4: Encrypt files using openssl (Linux) [linux]
- T1565 Data Manipulation CONTRIBUTE A TEST
- T1491 Defacement CONTRIBUTE A TEST
- T1498.001 Direct Network Flood CONTRIBUTE A TEST
- T1561.001 Disk Content Wipe CONTRIBUTE A TEST
- T1561.002 Disk Structure Wipe CONTRIBUTE A TEST
- T1561 Disk Wipe CONTRIBUTE A TEST
- T1499 Endpoint Denial of Service CONTRIBUTE A TEST
- T1491.002 External Defacement CONTRIBUTE A TEST
- T1495 Firmware Corruption CONTRIBUTE A TEST
- T1490 Inhibit System Recovery
- Atomic Test #1: Windows - Delete Volume Shadow Copies [windows]
- Atomic Test #2: Windows - Delete Volume Shadow Copies via WMI [windows]
- Atomic Test #3: Windows - wbadmin Delete Windows Backup Catalog [windows]
- Atomic Test #4: Windows - Disable Windows Recovery Console Repair [windows]
- Atomic Test #5: Windows - Delete Volume Shadow Copies via WMI with PowerShell [windows]
- Atomic Test #6: Windows - Delete Backup Files [windows]
- Atomic Test #7: Windows - wbadmin Delete systemstatebackup [windows]
- T1491.001 Internal Defacement
- Atomic Test #1: Replace Desktop Wallpaper [windows]
- T1498 Network Denial of Service CONTRIBUTE A TEST
- T1499.001 OS Exhaustion Flood CONTRIBUTE A TEST
- T1498.002 Reflection Amplification CONTRIBUTE A TEST
- T1496 Resource Hijacking
- Atomic Test #1: macOS/Linux - Simulate CPU Load with Yes [macos, linux]
- T1565.003 Runtime Data Manipulation CONTRIBUTE A TEST
- T1499.002 Service Exhaustion Flood CONTRIBUTE A TEST
- T1489 Service Stop
- Atomic Test #1: Windows - Stop service using Service Controller [windows]
- Atomic Test #2: Windows - Stop service using net.exe [windows]
- Atomic Test #3: Windows - Stop service by killing process [windows]
- T1565.001 Stored Data Manipulation CONTRIBUTE A TEST
- T1529 System Shutdown/Reboot
- Atomic Test #1: Shutdown System - Windows [windows]
- Atomic Test #2: Restart System - Windows [windows]
- Atomic Test #3: Restart System via
shutdown
- macOS/Linux [macos, linux] - Atomic Test #4: Shutdown System via
shutdown
- macOS/Linux [macos, linux] - Atomic Test #5: Restart System via
reboot
- macOS/Linux [macos, linux] - Atomic Test #6: Shutdown System via
halt
- Linux [linux] - Atomic Test #7: Reboot System via
halt
- Linux [linux] - Atomic Test #8: Shutdown System via
poweroff
- Linux [linux] - Atomic Test #9: Reboot System via
poweroff
- Linux [linux]
- T1565.002 Transmitted Data Manipulation CONTRIBUTE A TEST
- T1087 Account Discovery CONTRIBUTE A TEST
- T1010 Application Window Discovery
- Atomic Test #1: List Process Main Windows - C# .NET [windows]
- T1217 Browser Bookmark Discovery
- Atomic Test #1: List Mozilla Firefox Bookmark Database Files on Linux [linux]
- Atomic Test #2: List Mozilla Firefox Bookmark Database Files on macOS [macos]
- Atomic Test #3: List Google Chrome Bookmark JSON Files on macOS [macos]
- Atomic Test #4: List Google Chrome Bookmarks on Windows with powershell [windows]
- Atomic Test #5: List Google Chrome / Edge Chromium Bookmarks on Windows with command prompt [windows]
- Atomic Test #6: List Mozilla Firefox bookmarks on Windows with command prompt [windows]
- Atomic Test #7: List Internet Explorer Bookmarks using the command prompt [windows]
- T1087.004 Cloud Account CONTRIBUTE A TEST
- T1069.003 Cloud Groups CONTRIBUTE A TEST
- T1580 Cloud Infrastructure Discovery CONTRIBUTE A TEST
- T1538 Cloud Service Dashboard CONTRIBUTE A TEST
- T1526 Cloud Service Discovery CONTRIBUTE A TEST
- T1613 Container and Resource Discovery CONTRIBUTE A TEST
- T1087.002 Domain Account
- Atomic Test #1: Enumerate all accounts (Domain) [windows]
- Atomic Test #2: Enumerate all accounts via PowerShell (Domain) [windows]
- Atomic Test #3: Enumerate logged on users via CMD (Domain) [windows]
- Atomic Test #4: Automated AD Recon (ADRecon) [windows]
- Atomic Test #5: Adfind -Listing password policy [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Admins [windows]
- Atomic Test #7: Adfind - Enumerate Active Directory User Objects [windows]
- Atomic Test #8: Adfind - Enumerate Active Directory Exchange AD Objects [windows]
- Atomic Test #9: Enumerate Default Domain Admin Details (Domain) [windows]
- Atomic Test #10: Enumerate Active Directory for Unconstrained Delegation [windows]
- T1069.002 Domain Groups
- Atomic Test #1: Basic Permission Groups Discovery Windows (Domain) [windows]
- Atomic Test #2: Permission Groups Discovery PowerShell (Domain) [windows]
- Atomic Test #3: Elevated group enumeration using net group (Domain) [windows]
- Atomic Test #4: Find machines where user has local admin access (PowerView) [windows]
- Atomic Test #5: Find local admins on all machines in domain (PowerView) [windows]
- Atomic Test #6: Find Local Admins via Group Policy (PowerView) [windows]
- Atomic Test #7: Enumerate Users Not Requiring Pre Auth (ASRepRoast) [windows]
- Atomic Test #8: Adfind - Query Active Directory Groups [windows]
- T1482 Domain Trust Discovery
- Atomic Test #1: Windows - Discover domain trusts with dsquery [windows]
- Atomic Test #2: Windows - Discover domain trusts with nltest [windows]
- Atomic Test #3: Powershell enumerate domains and forests [windows]
- Atomic Test #4: Adfind - Enumerate Active Directory OUs [windows]
- Atomic Test #5: Adfind - Enumerate Active Directory Trusts [windows]
- T1087.003 Email Account CONTRIBUTE A TEST
- T1083 File and Directory Discovery
- Atomic Test #1: File and Directory Discovery (cmd.exe) [windows]
- Atomic Test #2: File and Directory Discovery (PowerShell) [windows]
- Atomic Test #3: Nix File and Diectory Discovery [macos, linux]
- Atomic Test #4: Nix File and Directory Discovery 2 [macos, linux]
- T1016.001 Internet Connection Discovery CONTRIBUTE A TEST
- T1087.001 Local Account
- Atomic Test #1: Enumerate all accounts (Local) [linux]
- Atomic Test #2: View sudoers access [linux, macos]
- Atomic Test #3: View accounts with UID 0 [linux, macos]
- Atomic Test #4: List opened files by user [linux, macos]
- Atomic Test #5: Show if a user account has ever logged in remotely [linux]
- Atomic Test #6: Enumerate users and groups [linux, macos]
- Atomic Test #7: Enumerate users and groups [macos]
- Atomic Test #8: Enumerate all accounts on Windows (Local) [windows]
- Atomic Test #9: Enumerate all accounts via PowerShell (Local) [windows]
- Atomic Test #10: Enumerate logged on users via CMD (Local) [windows]
- Atomic Test #11: Enumerate logged on users via PowerShell [windows]
- T1069.001 Local Groups
- Atomic Test #1: Permission Groups Discovery (Local) [macos, linux]
- Atomic Test #2: Basic Permission Groups Discovery Windows (Local) [windows]
- Atomic Test #3: Permission Groups Discovery PowerShell (Local) [windows]
- T1046 Network Service Scanning
- Atomic Test #1: Port Scan [linux, macos]
- Atomic Test #2: Port Scan Nmap [linux, macos]
- Atomic Test #3: Port Scan NMap for Windows [windows]
- Atomic Test #4: Port Scan using python [windows]
- T1135 Network Share Discovery
- Atomic Test #1: Network Share Discovery [macos]
- Atomic Test #2: Network Share Discovery - linux [linux]
- Atomic Test #3: Network Share Discovery command prompt [windows]
- Atomic Test #4: Network Share Discovery PowerShell [windows]
- Atomic Test #5: View available share drives [windows]
- Atomic Test #6: Share Discovery with PowerView [windows]
- T1040 Network Sniffing
- Atomic Test #1: Packet Capture Linux [linux]
- Atomic Test #2: Packet Capture macOS [macos]
- Atomic Test #3: Packet Capture Windows Command Prompt [windows]
- Atomic Test #4: Windows Internal Packet Capture [windows]
- T1201 Password Policy Discovery
- Atomic Test #1: Examine password complexity policy - Ubuntu [linux]
- Atomic Test #2: Examine password complexity policy - CentOS/RHEL 7.x [linux]
- Atomic Test #3: Examine password complexity policy - CentOS/RHEL 6.x [linux]
- Atomic Test #4: Examine password expiration policy - All Linux [linux]
- Atomic Test #5: Examine local password policy - Windows [windows]
- Atomic Test #6: Examine domain password policy - Windows [windows]
- Atomic Test #7: Examine password policy - macOS [macos]
- T1120 Peripheral Device Discovery
- Atomic Test #1: Win32_PnPEntity Hardware Inventory [windows]
- T1069 Permission Groups Discovery CONTRIBUTE A TEST
- T1057 Process Discovery
- Atomic Test #1: Process Discovery - ps [macos, linux]
- Atomic Test #2: Process Discovery - tasklist [windows]
- T1012 Query Registry
- Atomic Test #1: Query Registry [windows]
- T1018 Remote System Discovery
- Atomic Test #1: Remote System Discovery - net [windows]
- Atomic Test #2: Remote System Discovery - net group Domain Computers [windows]
- Atomic Test #3: Remote System Discovery - nltest [windows]
- Atomic Test #4: Remote System Discovery - ping sweep [windows]
- Atomic Test #5: Remote System Discovery - arp [windows]
- Atomic Test #6: Remote System Discovery - arp nix [linux, macos]
- Atomic Test #7: Remote System Discovery - sweep [linux, macos]
- Atomic Test #8: Remote System Discovery - nslookup [windows]
- Atomic Test #9: Remote System Discovery - adidnsdump [windows]
- Atomic Test #10: Adfind - Enumerate Active Directory Computer Objects [windows]
- Atomic Test #11: Adfind - Enumerate Active Directory Domain Controller Objects [windows]
- T1518.001 Security Software Discovery
- Atomic Test #1: Security Software Discovery [windows]
- Atomic Test #2: Security Software Discovery - powershell [windows]
- Atomic Test #3: Security Software Discovery - ps (macOS) [macos]
- Atomic Test #4: Security Software Discovery - ps (Linux) [linux]
- Atomic Test #5: Security Software Discovery - Sysmon Service [windows]
- Atomic Test #6: Security Software Discovery - AV Discovery via WMI [windows]
- T1518 Software Discovery
- Atomic Test #1: Find and Display Internet Explorer Browser Version [windows]
- Atomic Test #2: Applications Installed [windows]
- Atomic Test #3: Find and Display Safari Browser Version [macos]
- T1497.001 System Checks
- Atomic Test #1: Detect Virtualization Environment (Linux) [linux]
- Atomic Test #2: Detect Virtualization Environment (Windows) [windows]
- Atomic Test #3: Detect Virtualization Environment (MacOS) [macos]
- T1082 System Information Discovery
- Atomic Test #1: System Information Discovery [windows]
- Atomic Test #2: System Information Discovery [macos]
- Atomic Test #3: List OS Information [linux, macos]
- Atomic Test #4: Linux VM Check via Hardware [linux]
- Atomic Test #5: Linux VM Check via Kernel Modules [linux]
- Atomic Test #6: Hostname Discovery (Windows) [windows]
- Atomic Test #7: Hostname Discovery [linux, macos]
- Atomic Test #8: Windows MachineGUID Discovery [windows]
- Atomic Test #9: Griffon Recon [windows]
- Atomic Test #10: Environment variables discovery on windows [windows]
- Atomic Test #11: Environment variables discovery on macos and linux [macos, linux]
- T1614 System Location Discovery CONTRIBUTE A TEST
- T1016 System Network Configuration Discovery
- Atomic Test #1: System Network Configuration Discovery on Windows [windows]
- Atomic Test #2: List Windows Firewall Rules [windows]
- Atomic Test #3: System Network Configuration Discovery [macos, linux]
- Atomic Test #4: System Network Configuration Discovery (TrickBot Style) [windows]
- Atomic Test #5: List Open Egress Ports [windows]
- Atomic Test #6: Adfind - Enumerate Active Directory Subnet Objects [windows]
- Atomic Test #7: Qakbot Recon [windows]
- Atomic Test #8: List macOS Firewall Rules [macos]
- T1049 System Network Connections Discovery
- Atomic Test #1: System Network Connections Discovery [windows]
- Atomic Test #2: System Network Connections Discovery with PowerShell [windows]
- Atomic Test #3: System Network Connections Discovery Linux & MacOS [linux, macos]
- Atomic Test #4: System Discovery using SharpView [windows]
- T1033 System Owner/User Discovery
- Atomic Test #1: System Owner/User Discovery [windows]
- Atomic Test #2: System Owner/User Discovery [linux, macos]
- Atomic Test #3: Find computers where user has session - Stealth mode (PowerView) [windows]
- T1007 System Service Discovery
- Atomic Test #1: System Service Discovery [windows]
- Atomic Test #2: System Service Discovery - net.exe [windows]
- T1124 System Time Discovery
- Atomic Test #1: System Time Discovery [windows]
- Atomic Test #2: System Time Discovery - PowerShell [windows]
- T1497.003 Time Based Evasion CONTRIBUTE A TEST
- T1497.002 User Activity Based Checks CONTRIBUTE A TEST
- T1497 Virtualization/Sandbox Evasion CONTRIBUTE A TEST
- T1583 Acquire Infrastructure CONTRIBUTE A TEST
- T1583.005 Botnet CONTRIBUTE A TEST
- T1584.005 Botnet CONTRIBUTE A TEST
- T1587.002 Code Signing Certificates CONTRIBUTE A TEST
- T1588.003 Code Signing Certificates CONTRIBUTE A TEST
- T1586 Compromise Accounts CONTRIBUTE A TEST
- T1584 Compromise Infrastructure CONTRIBUTE A TEST
- T1583.002 DNS Server CONTRIBUTE A TEST
- T1584.002 DNS Server CONTRIBUTE A TEST
- T1587 Develop Capabilities CONTRIBUTE A TEST
- T1587.003 Digital Certificates CONTRIBUTE A TEST
- T1588.004 Digital Certificates CONTRIBUTE A TEST
- T1583.001 Domains CONTRIBUTE A TEST
- T1584.001 Domains CONTRIBUTE A TEST
- T1608.004 Drive-by Target CONTRIBUTE A TEST
- T1585.002 Email Accounts CONTRIBUTE A TEST
- T1586.002 Email Accounts CONTRIBUTE A TEST
- T1585 Establish Accounts CONTRIBUTE A TEST
- T1587.004 Exploits CONTRIBUTE A TEST
- T1588.005 Exploits CONTRIBUTE A TEST
- T1608.003 Install Digital Certificate CONTRIBUTE A TEST
- T1608.005 Link Target CONTRIBUTE A TEST
- T1587.001 Malware CONTRIBUTE A TEST
- T1588.001 Malware CONTRIBUTE A TEST
- T1588 Obtain Capabilities CONTRIBUTE A TEST
- T1583.004 Server CONTRIBUTE A TEST
- T1584.004 Server CONTRIBUTE A TEST
- T1585.001 Social Media Accounts CONTRIBUTE A TEST
- T1586.001 Social Media Accounts CONTRIBUTE A TEST
- T1608 Stage Capabilities CONTRIBUTE A TEST
- T1588.002 Tool CONTRIBUTE A TEST
- T1608.001 Upload Malware CONTRIBUTE A TEST
- T1608.002 Upload Tool CONTRIBUTE A TEST
- T1583.003 Virtual Private Server CONTRIBUTE A TEST
- T1584.003 Virtual Private Server CONTRIBUTE A TEST
- T1588.006 Vulnerabilities CONTRIBUTE A TEST
- T1583.006 Web Services CONTRIBUTE A TEST
- T1584.006 Web Services CONTRIBUTE A TEST
- T1595 Active Scanning CONTRIBUTE A TEST
- T1591.002 Business Relationships CONTRIBUTE A TEST
- T1596.004 CDNs CONTRIBUTE A TEST
- T1592.004 Client Configurations CONTRIBUTE A TEST
- T1589.001 Credentials CONTRIBUTE A TEST
- T1590.002 DNS CONTRIBUTE A TEST
- T1596.001 DNS/Passive DNS CONTRIBUTE A TEST
- T1591.001 Determine Physical Locations CONTRIBUTE A TEST
- T1596.003 Digital Certificates CONTRIBUTE A TEST
- T1590.001 Domain Properties CONTRIBUTE A TEST
- T1589.002 Email Addresses CONTRIBUTE A TEST
- T1589.003 Employee Names CONTRIBUTE A TEST
- T1592.003 Firmware CONTRIBUTE A TEST
- T1592 Gather Victim Host Information CONTRIBUTE A TEST
- T1589 Gather Victim Identity Information CONTRIBUTE A TEST
- T1590 Gather Victim Network Information CONTRIBUTE A TEST
- T1591 Gather Victim Org Information CONTRIBUTE A TEST
- T1592.001 Hardware CONTRIBUTE A TEST
- T1590.005 IP Addresses CONTRIBUTE A TEST
- T1591.003 Identify Business Tempo CONTRIBUTE A TEST
- T1591.004 Identify Roles CONTRIBUTE A TEST
- T1590.006 Network Security Appliances CONTRIBUTE A TEST
- T1590.004 Network Topology CONTRIBUTE A TEST
- T1590.003 Network Trust Dependencies CONTRIBUTE A TEST
- T1598 Phishing for Information CONTRIBUTE A TEST
- T1597.002 Purchase Technical Data CONTRIBUTE A TEST
- T1596.005 Scan Databases CONTRIBUTE A TEST
- T1595.001 Scanning IP Blocks CONTRIBUTE A TEST
- T1597 Search Closed Sources CONTRIBUTE A TEST
- T1593.002 Search Engines CONTRIBUTE A TEST
- T1596 Search Open Technical Databases CONTRIBUTE A TEST
- T1593 Search Open Websites/Domains CONTRIBUTE A TEST
- T1594 Search Victim-Owned Websites CONTRIBUTE A TEST
- T1593.001 Social Media CONTRIBUTE A TEST
- T1592.002 Software CONTRIBUTE A TEST
- T1598.002 Spearphishing Attachment CONTRIBUTE A TEST
- T1598.003 Spearphishing Link CONTRIBUTE A TEST
- T1598.001 Spearphishing Service CONTRIBUTE A TEST
- T1597.001 Threat Intel Vendors CONTRIBUTE A TEST
- T1595.002 Vulnerability Scanning CONTRIBUTE A TEST
- T1596.002 WHOIS CONTRIBUTE A TEST
- T1059.002 AppleScript
- Atomic Test #1: AppleScript [macos]
- T1053.001 At (Linux)
- Atomic Test #1: At - Schedule a job [linux]
- T1053.002 At (Windows)
- Atomic Test #1: At.exe Scheduled task [windows]
- T1059 Command and Scripting Interpreter CONTRIBUTE A TEST
- T1559.001 Component Object Model CONTRIBUTE A TEST
- T1175 Component Object Model and Distributed COM CONTRIBUTE A TEST
- T1609 Container Administration Command
- Atomic Test #1: ExecIntoContainer [linux, macos]
- T1053.007 Container Orchestration Job
- Atomic Test #1: ListCronjobs [linux, macos]
- Atomic Test #2: CreateCronjob [linux, macos]
- T1053.003 Cron
- Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux]
- Atomic Test #2: Cron - Add script to all cron subfolders [macos, linux]
- Atomic Test #3: Cron - Add script to /var/spool/cron/crontabs/ folder [linux]
- T1610 Deploy Container
- Atomic Test #1: Deploy container using nsenter container escape [linux]
- T1559.002 Dynamic Data Exchange
- Atomic Test #1: Execute Commands [windows]
- Atomic Test #2: Execute PowerShell script via Word DDE [windows]
- Atomic Test #3: DDEAUTO [windows]
- T1203 Exploitation for Client Execution CONTRIBUTE A TEST
- T1061 Graphical User Interface CONTRIBUTE A TEST
- T1559 Inter-Process Communication CONTRIBUTE A TEST
- T1059.007 JavaScript CONTRIBUTE A TEST
- T1569.001 Launchctl
- Atomic Test #1: Launchctl [macos]
- T1053.004 Launchd
- Atomic Test #1: Event Monitor Daemon Persistence [macos]
- T1204.002 Malicious File
- Atomic Test #1: OSTap Style Macro Execution [windows]
- Atomic Test #2: OSTap Payload Download [windows]
- Atomic Test #3: Maldoc choice flags command execution [windows]
- Atomic Test #4: OSTAP JS version [windows]
- Atomic Test #5: Office launching .bat file from AppData [windows]
- Atomic Test #6: Excel 4 Macro [windows]
- Atomic Test #7: Headless Chrome code execution via VBA [windows]
- Atomic Test #8: Potentially Unwanted Applications (PUA) [windows]
- T1204.003 Malicious Image CONTRIBUTE A TEST
- T1204.001 Malicious Link CONTRIBUTE A TEST
- T1106 Native API
- Atomic Test #1: Execution through API - CreateProcess [windows]
- T1059.008 Network Device CLI CONTRIBUTE A TEST
- T1059.001 PowerShell
- Atomic Test #1: Mimikatz [windows]
- Atomic Test #2: Run BloodHound from local disk [windows]
- Atomic Test #3: Run Bloodhound from Memory using Download Cradle [windows]
- Atomic Test #4: Obfuscation Tests [windows]
- Atomic Test #5: Mimikatz - Cradlecraft PsSendKeys [windows]
- Atomic Test #6: Invoke-AppPathBypass [windows]
- Atomic Test #7: Powershell MsXml COM object - with prompt [windows]
- Atomic Test #8: Powershell XML requests [windows]
- Atomic Test #9: Powershell invoke mshta.exe download [windows]
- Atomic Test #10: Powershell Invoke-DownloadCradle [windows]
- Atomic Test #11: PowerShell Fileless Script Execution [windows]
- Atomic Test #12: PowerShell Downgrade Attack [windows]
- Atomic Test #13: NTFS Alternate Data Stream Access [windows]
- Atomic Test #14: PowerShell Session Creation and Use [windows]
- Atomic Test #15: ATHPowerShellCommandLineParameter -Command parameter variations [windows]
- Atomic Test #16: ATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments [windows]
- Atomic Test #17: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations [windows]
- Atomic Test #18: ATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments [windows]
- T1059.006 Python
- Atomic Test #1: Execute shell script via python's command mode arguement [linux]
- Atomic Test #2: Execute Python via scripts (Linux) [linux]
- Atomic Test #3: Execute Python via Python executables (Linux) [linux]
- T1053.005 Scheduled Task
- Atomic Test #1: Scheduled Task Startup Script [windows]
- Atomic Test #2: Scheduled task Local [windows]
- Atomic Test #3: Scheduled task Remote [windows]
- Atomic Test #4: Powershell Cmdlet Scheduled Task [windows]
- Atomic Test #5: Task Scheduler via VBA [windows]
- Atomic Test #6: WMI Invoke-CimMethod Scheduled Task [windows]
- T1053 Scheduled Task/Job CONTRIBUTE A TEST
- T1064 Scripting CONTRIBUTE A TEST
- T1569.002 Service Execution
- Atomic Test #1: Execute a Command as a Service [windows]
- Atomic Test #2: Use PsExec to execute a command on a remote host [windows]
- T1129 Shared Modules CONTRIBUTE A TEST
- T1072 Software Deployment Tools CONTRIBUTE A TEST
- T1153 Source CONTRIBUTE A TEST
- T1569 System Services CONTRIBUTE A TEST
- T1053.006 Systemd Timers
- Atomic Test #1: Create Systemd Service and Timer [linux]
- T1059.004 Unix Shell
- Atomic Test #1: Create and Execute Bash Shell Script [macos, linux]
- Atomic Test #2: Command-Line Interface [macos, linux]
- T1204 User Execution CONTRIBUTE A TEST
- T1059.005 Visual Basic
- Atomic Test #1: Visual Basic script execution to gather local computer information [windows]
- Atomic Test #2: Encoded VBS code execution [windows]
- Atomic Test #3: Extract Memory via VBA [windows]
- T1059.003 Windows Command Shell
- Atomic Test #1: Create and Execute Batch Script [windows]
- Atomic Test #2: Writes text to a file and displays it. [windows]
- T1047 Windows Management Instrumentation
- Atomic Test #1: WMI Reconnaissance Users [windows]
- Atomic Test #2: WMI Reconnaissance Processes [windows]
- Atomic Test #3: WMI Reconnaissance Software [windows]
- Atomic Test #4: WMI Reconnaissance List Remote Services [windows]
- Atomic Test #5: WMI Execute Local Process [windows]
- Atomic Test #6: WMI Execute Remote Process [windows]
- Atomic Test #7: Create a Process using WMI Query and an Encoded Command [windows]
- Atomic Test #8: Create a Process using obfuscated Win32_Process [windows]
- T1550.001 Application Access Token CONTRIBUTE A TEST
- T1175 Component Object Model and Distributed COM CONTRIBUTE A TEST
- T1021.003 Distributed Component Object Model
- Atomic Test #1: PowerShell Lateral Movement using MMC20 [windows]
- T1210 Exploitation of Remote Services CONTRIBUTE A TEST
- T1534 Internal Spearphishing CONTRIBUTE A TEST
- T1570 Lateral Tool Transfer CONTRIBUTE A TEST
- T1550.002 Pass the Hash
- Atomic Test #1: Mimikatz Pass the Hash [windows]
- Atomic Test #2: crackmapexec Pass the Hash [windows]
- T1550.003 Pass the Ticket
- Atomic Test #1: Mimikatz Kerberos Ticket Attack [windows]
- T1563.002 RDP Hijacking
- Atomic Test #1: RDP hijacking [windows]
- T1021.001 Remote Desktop Protocol
- Atomic Test #1: RDP to DomainController [windows]
- Atomic Test #2: RDP to Server [windows]
- T1563 Remote Service Session Hijacking CONTRIBUTE A TEST
- T1021 Remote Services CONTRIBUTE A TEST
- T1091 Replication Through Removable Media CONTRIBUTE A TEST
- T1021.002 SMB/Windows Admin Shares
- Atomic Test #1: Map admin share [windows]
- Atomic Test #2: Map Admin Share PowerShell [windows]
- Atomic Test #3: Copy and Execute File with PsExec [windows]
- Atomic Test #4: Execute command writing output to local Admin Share [windows]
- T1021.004 SSH CONTRIBUTE A TEST
- T1563.001 SSH Hijacking CONTRIBUTE A TEST
- T1051 Shared Webroot CONTRIBUTE A TEST
- T1072 Software Deployment Tools CONTRIBUTE A TEST
- T1080 Taint Shared Content CONTRIBUTE A TEST
- T1550 Use Alternate Authentication Material CONTRIBUTE A TEST
- T1021.005 VNC CONTRIBUTE A TEST
- T1550.004 Web Session Cookie CONTRIBUTE A TEST
- T1021.006 Windows Remote Management
- Atomic Test #1: Enable Windows Remote Management [windows]
- Atomic Test #2: Invoke-Command [windows]
- Atomic Test #3: WinRM Access with Evil-WinRM [windows]
- T1071 Application Layer Protocol CONTRIBUTE A TEST
- T1573.002 Asymmetric Cryptography CONTRIBUTE A TEST
- T1102.002 Bidirectional Communication CONTRIBUTE A TEST
- T1043 Commonly Used Port CONTRIBUTE A TEST
- T1092 Communication Through Removable Media CONTRIBUTE A TEST
- T1071.004 DNS
- Atomic Test #1: DNS Large Query Volume [windows]
- Atomic Test #2: DNS Regular Beaconing [windows]
- Atomic Test #3: DNS Long Domain Query [windows]
- Atomic Test #4: DNS C2 [windows]
- T1568.003 DNS Calculation CONTRIBUTE A TEST
- T1132 Data Encoding CONTRIBUTE A TEST
- T1001 Data Obfuscation CONTRIBUTE A TEST
- T1102.001 Dead Drop Resolver CONTRIBUTE A TEST
- T1090.004 Domain Fronting CONTRIBUTE A TEST
- T1568.002 Domain Generation Algorithms CONTRIBUTE A TEST
- T1568 Dynamic Resolution CONTRIBUTE A TEST
- T1573 Encrypted Channel
- Atomic Test #1: OpenSSL C2 [windows]
- T1090.002 External Proxy CONTRIBUTE A TEST
- T1008 Fallback Channels CONTRIBUTE A TEST
- T1568.001 Fast Flux DNS CONTRIBUTE A TEST
- T1071.002 File Transfer Protocols CONTRIBUTE A TEST
- T1105 Ingress Tool Transfer
- Atomic Test #1: rsync remote file copy (push) [linux, macos]
- Atomic Test #2: rsync remote file copy (pull) [linux, macos]
- Atomic Test #3: scp remote file copy (push) [linux, macos]
- Atomic Test #4: scp remote file copy (pull) [linux, macos]
- Atomic Test #5: sftp remote file copy (push) [linux, macos]
- Atomic Test #6: sftp remote file copy (pull) [linux, macos]
- Atomic Test #7: certutil download (urlcache) [windows]
- Atomic Test #8: certutil download (verifyctl) [windows]
- Atomic Test #9: Windows - BITSAdmin BITS Download [windows]
- Atomic Test #10: Windows - PowerShell Download [windows]
- Atomic Test #11: OSTAP Worming Activity [windows]
- Atomic Test #12: svchost writing a file to a UNC path [windows]
- Atomic Test #13: Download a File with Windows Defender MpCmdRun.exe [windows]
- T1090.001 Internal Proxy
- Atomic Test #1: Connection Proxy [macos, linux]
- Atomic Test #2: Connection Proxy for macOS UI [macos]
- Atomic Test #3: portproxy reg key [windows]
- T1001.001 Junk Data CONTRIBUTE A TEST
- T1071.003 Mail Protocols CONTRIBUTE A TEST
- T1104 Multi-Stage Channels CONTRIBUTE A TEST
- T1090.003 Multi-hop Proxy CONTRIBUTE A TEST
- T1026 Multiband Communication CONTRIBUTE A TEST
- T1095 Non-Application Layer Protocol
- Atomic Test #1: ICMP C2 [windows]
- Atomic Test #2: Netcat C2 [windows]
- Atomic Test #3: Powercat C2 [windows]
- T1132.002 Non-Standard Encoding CONTRIBUTE A TEST
- T1571 Non-Standard Port
- Atomic Test #1: Testing usage of uncommonly used port with PowerShell [windows]
- Atomic Test #2: Testing usage of uncommonly used port [linux, macos]
- T1102.003 One-Way Communication CONTRIBUTE A TEST
- T1205.001 Port Knocking CONTRIBUTE A TEST
- T1001.003 Protocol Impersonation CONTRIBUTE A TEST
- T1572 Protocol Tunneling CONTRIBUTE A TEST
- T1090 Proxy CONTRIBUTE A TEST
- T1219 Remote Access Software
- Atomic Test #1: TeamViewer Files Detected Test on Windows [windows]
- Atomic Test #2: AnyDesk Files Detected Test on Windows [windows]
- Atomic Test #3: LogMeIn Files Detected Test on Windows [windows]
- T1132.001 Standard Encoding
- Atomic Test #1: Base64 Encoded data. [macos, linux]
- T1001.002 Steganography CONTRIBUTE A TEST
- T1573.001 Symmetric Cryptography CONTRIBUTE A TEST
- T1205 Traffic Signaling CONTRIBUTE A TEST
- T1071.001 Web Protocols
- Atomic Test #1: Malicious User Agents - Powershell [windows]
- Atomic Test #2: Malicious User Agents - CMD [windows]
- Atomic Test #3: Malicious User Agents - Nix [linux, macos]
- T1102 Web Service CONTRIBUTE A TEST
- T1020 Automated Exfiltration
- Atomic Test #1: IcedID Botnet HTTP PUT [windows]
- T1030 Data Transfer Size Limits
- Atomic Test #1: Data Transfer Size Limits [macos, linux]
- T1048 Exfiltration Over Alternative Protocol
- Atomic Test #1: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - SSH [macos, linux]
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST
- T1011.001 Exfiltration Over Bluetooth CONTRIBUTE A TEST
- T1041 Exfiltration Over C2 Channel CONTRIBUTE A TEST
- T1011 Exfiltration Over Other Network Medium CONTRIBUTE A TEST
- T1052 Exfiltration Over Physical Medium CONTRIBUTE A TEST
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol CONTRIBUTE A TEST
- T1048.003 Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
- Atomic Test #1: Exfiltration Over Alternative Protocol - HTTP [macos, linux]
- Atomic Test #2: Exfiltration Over Alternative Protocol - ICMP [windows]
- Atomic Test #3: Exfiltration Over Alternative Protocol - DNS [linux]
- Atomic Test #4: Exfiltration Over Alternative Protocol - HTTP [windows]
- Atomic Test #5: Exfiltration Over Alternative Protocol - SMTP [windows]
- T1567 Exfiltration Over Web Service CONTRIBUTE A TEST
- T1052.001 Exfiltration over USB CONTRIBUTE A TEST
- T1567.002 Exfiltration to Cloud Storage CONTRIBUTE A TEST
- T1567.001 Exfiltration to Code Repository CONTRIBUTE A TEST
- T1029 Scheduled Transfer CONTRIBUTE A TEST
- T1020.001 Traffic Duplication CONTRIBUTE A TEST
- T1537 Transfer Data to Cloud Account CONTRIBUTE A TEST
- T1078.004 Cloud Accounts CONTRIBUTE A TEST
- T1195.003 Compromise Hardware Supply Chain CONTRIBUTE A TEST
- T1195.001 Compromise Software Dependencies and Development Tools CONTRIBUTE A TEST
- T1195.002 Compromise Software Supply Chain CONTRIBUTE A TEST
- T1078.001 Default Accounts
- Atomic Test #1: Enable Guest account with RDP capability and admin priviliges [windows]
- T1078.002 Domain Accounts CONTRIBUTE A TEST
- T1189 Drive-by Compromise CONTRIBUTE A TEST
- T1190 Exploit Public-Facing Application CONTRIBUTE A TEST
- T1133 External Remote Services
- Atomic Test #1: Running Chrome VPN Extensions via the Registry 2 vpn extension [windows]
- T1200 Hardware Additions CONTRIBUTE A TEST
- T1078.003 Local Accounts
- Atomic Test #1: Create local account with admin priviliges [windows]
- T1566 Phishing CONTRIBUTE A TEST
- T1091 Replication Through Removable Media CONTRIBUTE A TEST
- T1566.001 Spearphishing Attachment
- Atomic Test #1: Download Phishing Attachment - VBScript [windows]
- Atomic Test #2: Word spawned a command shell and used an IP address in the command line [windows]
- T1566.002 Spearphishing Link CONTRIBUTE A TEST
- T1566.003 Spearphishing via Service CONTRIBUTE A TEST
- T1195 Supply Chain Compromise CONTRIBUTE A TEST
- T1199 Trusted Relationship CONTRIBUTE A TEST
- T1078 Valid Accounts CONTRIBUTE A TEST